ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "L (JIRA)" <>
Subject [jira] [Created] (WSS-651) Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
Date Sun, 26 May 2019 19:01:00 GMT
L created WSS-651:

             Summary: Incorrect signature if document has WSU_NS declared on SOAP Header or
                 Key: WSS-651
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 2.2.3
            Reporter: L
            Assignee: Colm O hEigeartaigh

I have run into a problem with documents signed by WSS4J 2.2.3: the "other side" is rejecting
some of documents signed by WSS4J 2.2.3.

After some investigation I could manage to reproduce it and make WSS4J reject its own signed

The problem can be reproduced quite easily with modified org.apache.wss4j.dom.message.SignatureTest:

I have copy pasted method testSignedTimestamp() and modified it slightly. This is full source
code of the new method:

    public void testSignedTimestamp1() throws Exception {
        Document doc = SOAPUtil.toSOAPPart(SAMPLE_SOAP_MSG_WSU_NS);
        WSSecHeader secHeader = new WSSecHeader(doc);

        WSSecTimestamp timestamp = new WSSecTimestamp(secHeader);

        WSSecSignature builder = new WSSecSignature(secHeader);
        builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");

        // Makes no difference, tested with it and without it.
        // Added to test because my code sets it to false
        // builder.setAddInclusivePrefixes(false);

        WSEncryptionPart encP =
            new WSEncryptionPart(


        List<javax.xml.crypto.dsig.Reference> referenceList =

        builder.computeSignature(referenceList, false, null);

        String  outputString = XMLUtils.prettyDocumentToString(doc);

        if (LOG.isDebugEnabled()) {
            LOG.debug("After Signing....");

        // !!!!
        // Makes all the difference: validating just signed document works,
        // validating serialized and parsed document does not
        Document  doc2 = SOAPUtil.toSOAPPart(outputString);
        // Document  doc2 = doc;


    public static final String SAMPLE_SOAP_MSG_WSU_NS =
        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
        + "<SOAP-ENV:Envelope "
        +   "xmlns:SOAP-ENV=\"\" "
        +   "xmlns:xsd=\"\" "
        +   "xmlns:xsi=\"\" "
        // !!!!
        // Makes all the difference: uncomment it and validating the serialized
        // and parsed document fails
        // +   "xmlns:u=\"\"
        +   ">"
        +   "<SOAP-ENV:Body>"
        +       "<add xmlns=\"\">"
        +           "<value xmlns=\"\">15</value>"
        +       "</add>"
        +   "</SOAP-ENV:Body>"
        + "</SOAP-ENV:Envelope>";{code}


Important parts marked with '!!!!' comments:
 # You need to verify the document after it was serialized and parsed back. Then the verification
fails. Verifying the signed document "in memory" succeeds.
 # The original, to be signed, document must have WSU_NS namespace with some prefix other
than 'wsu' declared on any ancestor of the to be inserted wsse:Security



This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message